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We present a methodology for the automated verification of quantum protocols using MCMAS, a 
symbolic model checker for multi-agent systems ifTTl . The method is based on the logical framework 
developed by D'Hondt and Panangaden fTOl for investigating epistemic and temporal properties, built 
on the model for Distributed Measurement-based Quantum Computation (DMC) [91, an extension 
of the Measurement Calculus jS) to distributed quantum systems. We describe the translation map 
from DMC to interpreted systems, the typical formalism for reasoning about time and knowledge in 
multi-agent systems 1 14.1. Then, we introduce DMC2lSPL, a compiler into the input language of the 
MCMAS model checker ifTTl . We demonstrate the technique by verifying the Quantum Teleportation 
Protocol, and discuss the performance of the tool. 

1 Introduction 

Quantum computing has gained prominence in the last decade due to theoretical advances as well as 
applications to security, information processing, and simulation of quantum mechanical systems fT9l . 
With this increase of activity, the need for validation of correctness of quantum algorithms has arisen. 
Model checking has shown to be a promising verification technique ||6l. However, tools and techniques 
for model checking both temporal and epistemic properties of quantum systems have not been developed 
yet. In this paper we aim to bridge this gap by introducing a methodology for the automated verification 
of quantum protocols using MCMAS [ 17|, a symbolic model checker for multi-agent systems (MAS). 

The fundamental question from an epistemic point of view is how to model a flow of quantum 
information. Is it meaningful to talk about "quantum knowledge"? And if it is, how can we express 
this concept? Several logics, which can be used for reasoning about knowledge in the context of 
distributed quantum computation, have been recently suggested. One of the first attempts was based on 
Quantum Message Passing Environments |[T8l . A different approach, i.e. Quantum Dynamic-Epistemic 
Logic lUllllO, was developed to model the behaviour of quantum systems. A third account ||7l[l0l|TT| was 
built on the Distributed Measurement-based Quantum Computation f9 |, which extends the Measurement 
Calculus [8 1, a formal model for one-way quantum computations. Among these accounts, the logic 
based on Distributed Measurement-based Quantum Computation (DMC) has an underlying operational 
semantics similar to the semantics of interpreted systems |[T4]| . This makes it suitable for model checking 
using MCMAS. However, interpreted systems (IS) have a Boolean semantics, which requires us to 
abstract from the underlying probability distribution. While we recognise that a full analysis of quantum 
phenomena requires stochastic considerations, we believe there are still useful lessons to be learned about 
protocols when these are abstracted from. The point of the paper is partly to explore this hypotheses. 

In this paper we describe a translation from DMC to IS. We also report on a source-to-source compiler 
that performs the translation into the input language of MCMAS. The compiler enables the use of MCMAS 
to verify automatically temporal and epistemic properties of quantum protocols specified in DMC. We 
verify the Quantum Teleportation protocol ||5l against the properties stated and informally proved in lITOl . 
and show that one specification does not hold contrary to the paper's claim. 
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Related Work. Several approaches to model checking quantum systems have already appeared in the 
literature. To our knowledge, the only dedicated verification tool for quantum protocols is the Quantum 
Model Checker (QMC) 1, 15. I . The model checker supports specifications in quantum computational 
temporal logic (QCTL), but quantum operators are restricted to the Clifford group, which is the normalizer 
of the group of Pauli operators IIT9I1 . Although it contains many common operators, quantum circuits that 
involve only Clifford group operators are not universal. Such circuits can be simulated in polynomial time 
on a classical computer; however, this leads to a loss of expressive power. 

In the same research line ll20ll a theoretical framework to model check LTL properties using quantum 
automata is proposed, and an algorithm for checking invariants of quantum systems is presented. Finally, 
in (13) the Quantum Key Distribution (QKD) protocol is verified against specific eavesdropping security 
properties. The authors elaborate an ad hoc model of the protocol, that they analyse using PRISM [16J. 

However, we stress that none of these contributions explicitly deal with knowledge. So, these 
approaches do not allow the verification of the temporal epistemic properties discussed in |[TOl . 

Structure. Organizationally, Section [2] gives an overview of the Distributed Measurement-based 
Quantum Computation, Interpreted Systems, and Quantum Epistemic Logic. Section |3] presents a 
methodology for translating a protocol specified in DMC into the corresponding IS. Section |4] describes 
and evaluates an implementation of the formal methodology. Section [5] offers brief conclusions. 

2 Preliminaries 

We discuss only the issues directly related to the paper and refer the reader to the relevant references for an 
in-depth coverage of these topics. We assume familiarity with the concepts of quantum computation 1, 19 J . 

2.1 Distributed Measurement-based Quantum Computation 

At the heart of the Measurement Calculus are measurement patterns |8]. A pattern ^ = (V,/,0,^) 
consists of a computation space V , which contains all qubits involved in the execution of a set / of 
input qubits, a set O of output qubits, and a finite sequence -s^ of commands Ap.. .A\, which are applied to 
qubits in V from right to left. The possible commands are the entanglement operator Eqr, the measurement 
M", and the corrections Xq and Zq, where q and r represent the qubits on which these commands operate, 
and a is a measurement angle in [0,27r]. 

An agent A |[9l, denoted as A(i,o) : Q.<§, is characterised by its classical input i and output o, by a 
set Q of qubits, and by a finite event sequence , which consists of patterns and commands for classical 
{clx, c\y) and quantum (qc?A', qc\q) communication. A network jV of agents |9| is defined as a set 
of concurrently acting agents, together with the global quantum state a, specifically jV = Ai(ii,Oi) : 
Q\.S\ \ ...\ Am{im,Om) '■ Qm-^m \\ d , abbreviated as ^ = |,- A;(i;,o,-) : Qi-Sj \\ a. The configuration C 
of a network ^ at a particular point in time is described by a set of agents, their classical local states, and 
the quantum state a, formally C = a,ri,ai | r2,a2 | • • • | rm,a,„, abbreviated as C = a, |,- r;,a,-, where F,- 
represents the classical state of agent a, , which is defined as a partial mapping from classical variables to 
values. The set "^^^ contains all configurations that potentially occur during the execution of the network 

Operational and denotational semantics for DMC are defined in |9]; however, here we are more 
interested in its small-step semantics. The following small-step rules for configuration transitions describe 
how the network evolves over time. If the quantum state does not change in an evaluation step, the writing 
a h precedes the rule. Also, we use a shorthand notation for agents: a, = A, : Qj.S'i, aj.E = A, : Qj.[(S'j.E], 
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a ^ = A : Q\q.to, and = A : Q^q.(o[q/x], where E is some event. 



(j,r,A : mR.[S.^] (j',rur,A : O^R.S 



(1) 

(2) 



(Jh (ri,ai.c?x I r2,a2.c!y =^ri[xi-^ v],ai | r2,a2) 

(3) 
(4) 



(Jh (ri,ai.qc?x I r2,a2.qc!^=^ri,a]^'' | r2,a2'') 
L=^i R 



L\L'=^xR\L' 

The first rule refers to local operations. Since a pattern's big-step semantics is given by a probabilistic 
transition system, described by — >, a probability X is introduced here. Also, an agent changes its sort 
depending on the pattern's output O. The next two rules are for the classical and the quantum rendez- 
vous. For the quantum rendez-vous a substitution q for x in the event sequence of the receiving agent is 
performed and agents need to update their qubit sorts. (4) is a metarule, which is required to express that 
any of the other rules may fire in the context of a larger system. 



2.2 Interpreted Systems and mcmas 

Interpreted systems lfT4l are the typical formalism for reasoning about time and knowledge in multi-agent 
systems. In IS each agent / from a non-empty set of agents is modelled by a set of local states L,, a 
set of actions Acti that she may perform according to her protocol function Pi, and an evolution function 
ti. A special agent E, representing the environment in which the other agents operate, is also described 
by a set of local states Le, a set of actions AcIe, a protocol Pe, and an evolution function Ie- For every 
7 G U {£}, the protocol Pj is defined as a function Pj : Ly — )• 2^^^'^ , assigning a set of actions to a given 
local state. Intuitively, aj G Pjilj) means that action aj is enabled in Ij. The evolution function tj is 
a transition function returning the target local state given the current local state and the set of actions 
performed by all agents, formally tj : Lj x Acti x • • • x Acf„ x AcIe Lj under the constraint aj G Pj{lj)- 
Agents evolve simultaneously in every state of the system according to the joint transition function t. 

The set Act of joint actions is defined as the Cartesian product of all agents' actions, formally 
Act = Acti X • • • X Act„ X ActE- The Cartesian product S = Li x ■■■ x L„ x Le of the agents' local states 
is the set of all global states of the system. The local state of agent / in the global state g £ S is denoted 
as Ii{g). The description of an interpreted system is concluded by including a set of atomic propositions 
AP = {pi,P2,---} and an evaluation relation V C AP x S. Formally, an interpreted system is defined as a 
tuple 75 = {{Li,Acti,Pi,ti)ieAg, {LE,ActE,PE,tE),V) . 

Interpreted systems can be used to interpret CTLK, a logic combining the branching-time temporal 
logic CTL with epistemic modalities. The formal language ^ is built from propositional atoms p G AP 
and agents / G Ag as follows: 

(p::=p\^(p\(pW(p\ EX(p \ EG(p \ EcpUxj/ \ Ki 

The formulae in ^ have the following intuitive meaning. EX(p: there is a path where (p holds in the next 
state; EG(p: there is a path where (p always holds; E(pU Y- there is a path where cp holds at least until at 
some state y holds; Ki(p: agent / knows (p. The other standard CTL formulae, e.g., AF(p: for all paths 
(p eventually holds, can be derived from the above. The formal definition of satisfaction in interpreted 
systems follows. 
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In an interpreted system ^ the evolution function t determines a transition relation — on states such 

that s s' iff there is a joint action a G Act such that f (5, a) = s'. A path n is an infinite sequence of 

states So Further, 71" denotes the n-th state in the sequence, i.e, Sn- Finally, for each agent 

/ G Ag, we introduce the epistemic equivalence relation such that s 5' iff li{s) = li{s'). 

Given the IS a state s, and a formula <j) G the satisfaction relation t= is defined as follows: 

^,s)hp iff Vip,s) 

JlJ)^^^ iff (^,5)^0 

JlJ)^^y^' iff (^,5) h or (^,5) ^ 0' 

s) ^ EXd^ iff there is a path % such that 71° = s, and tt' ) 1= ^ 

, s) 1= £00 iff there is a path 71 such that 71° = s, and for all n G N, 7r") 1= 

5) \= E<j)U^' iff there is a path TT such that 71° = s, for some « G N, 7r") 1= 0', 

and for all n',0 <n' <n implies n" )\= <p 

) ^ iff for all s' eS,s r^f s' imphes s')^^ 



A formula G ^ is true in an IS or ^ 1= 0, iff for all 5 G 5, (^,5) N 0. 

In lITTl the authors present a methodology for the verification of IS based on model checking ||6l via 
ordered binary decision diagrams. These verification techniques have been implemented in the MCMAS 
model checker. The input to the model checker is given as an Interpreted Systems Programming Language 
(ISPL) program, which is essentially a machine readable IS. 



2.3 Quantum Epistemic Logic 

A formal framework for reasoning about temporal and epistemic properties of distributed quantum systems 
was developed in |[T0| on top of DMC. The authors argue that quantum knowledge is not a meaningful 
concept, but it is of interest to reason about classical knowledge pertaining to a quantum system. In this 
sense, the quantum information possessed by an agent concerns the qubits she owns, the local operations 
she applies to these qubits, the non-local entanglement she shares initially, and possibly prior knowledge 
of her local quantum inputs. All this information is contained in her local state F, and her event sequence 
Si. Given a network ,yV , the epistemic accessibility relation for an agent A,- is defined in [ 10] as 
follows: for all configurations C = a, |, F;,A; : Qi.(§i and C' = a', |,- F-, A,- : 2-.<^' in "^y^/, C and C are 
indistinguishable to agent A,-, written as C ~ f*^ C' , if F,- = F- and £"1 = Si- The semantics for the modal 
operator Ki for the knowledge of agent A, is then defined in the usual way: (C, ^) N Ki(p iff for all C, 
C r^f C implies (C, ^) ^ q). 

We now give the truth conditions for all formulae in ^ in a network ^.The set of atomic propositions 
AP = {x = v,x = y,Ai has q,qi .. .qn = \ w) ili = ^7} considered in iQ. In a configuration C of a 
network the truth conditions for these atomic propositions are given as follows: 

(C, -yV) 1= X = V iff there is an agent / such that F;(jc) = v 

(C, -yV) x = y iff there are agents /, j such that F,(jc) = Ti{y) 

(C,^)hA;has^ iff q£Qi 

{C,yV)^qi...q„ = \\l/)m q\...qn = W) 

(C, jV) ^ qi = qj iff there is | ^|^) such that | = qi = qj 



In networks the small-step rules given in Section 



2.1 



^determine a transition relation — > such that 
C - — > C' iff there is a rule that applied to C returns C'. A path 7 is an infinite sequence of configurations 
Co - — > Ci - — > Further, 7" denotes the ?i-th state in the sequence, i.e, C„. Finally, for each agent A,- 
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in the network, we introduce the epistemic equivalence relation ~ such that C ~ C' iff F, = F- and 
Given the network a configuration C, and a formula <p G the satisfaction relation \= is defined 

iff C satisfies the corresponding condition above for atomic p G AP 

(C,^)^0or (C,^)^0' 

there is a path 7 such that 7° = C, and (7^ , .yV) \= ^ 
there is a path 7 such that 7° = C, and for all n£N, {y^,jy) N 
there is a path 7 such that 7° = C, for some « G N, (7", ^) N 0', 
and for all n',0 <n' <n implies (7" , ^) \= <p 
for all C e^,C r^f C implies (C, ^) h 



as follows: 






iff 




iff 


(C,^)h0V0' 


iff 


{C,^)'FEX(j) 


iff 


{C,J^)^EG(I) 


iff 


lc,J^)^E^U<p' 


iff 




iff 



A formula G ^ is true in a network or ^ 1= 0, iff for all configurations C, (C,^) ^ <p. 



2.4 Quantum Teleportation Protocol 

The goal of the Quantum Teleportation Protocol (QTP) is to transmit a qubit from one party to another 
with the aid of an entangled pair of qubits and classical resources. For reasons of space we refer to [5J for 
a detailed presentation of QTP. The DMC specification of the protocol is given in [91 as: 

■vVqtp^A: {l,2}-[{c\s2Si).M°2°En] \ B : {3}.[X','-Z^' .{c7x2Xi)] \\ £23. 

The informal reading is as follows: Alice A and Bob B share the entangled pair £23 of qubits 2 and 3, and 
Alice wants to transmit the input qubit 1. In the first step, she entangles (£12) her qubits 1 and 2. Then she 
measures {M^2) both of them. Next, she sends via classical communication {c\s2Si) the measurement 
outcomes to Bob. Upon receipt (c?;c2.\:i). Bob applies corrections {X^^Z^') to his qubit 3 depending on 
these measurements. The result is that Bob's qubit 3 is guaranteed to be in the same state as Alice's input 
qubit 1. 



3 Formal Mapping 

In this section we present a methodology for translating a protocol specified in DMC into the corresponding 
IS. Formally, we define a mapping / : DMC — IS, such that / preserves satisfaction of formulae in the 
specification language First, we describe the translation of the global quantum state and classical 
states of agents. Then we cover the rules in DMC. Finally, we show that / is sound. 



3.1 Classical States of Agents and Global Quantum State 

Given a network ^ we introduce an agent / G Ag for each agent A,(i,',o,) : Qi.S'i in as well as the 
Environment agent E. We take a local state /, G L,- of agent / to be a tuple of vector variables (x,y,s,q,pc) 
defined as follows: 

• Each classical input bit in i, is mapped to a variable y G /, in the domain {0, 1}. 

• A bit received from an agent via the classical receive event clx in the event sequence £1 is mapped 
to a variable x G /; in the domain {0, 1, -L}, where _L denotes the undefined value before communi- 
cation. 
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• A variable s £ Ij, called signal, represents the outcome of a measurement event M" in the event 
sequence where q is the measured qubit and a is a measurement angle. A signal can attain 
values {0, 1, -L}, where _L denotes the undefined value of the signal before the agent executes the 
measurement. 

• A variable q G /; in the domain {0, 1 , 2} represents the ownership relation between agent A, and 
qubit q with the following meaning: if A, is not in possession of q, i.e., q ^ Qi, then we take ^ = 0. 
If A, owns the qubit q, i.e., q S Qi, then ^ = 1 or <7 = 2. The former value represents that A, does 
not know the exact state of the qubit, the latter value represents that she knows it. We assume 
that the agent knows the state of the qubit once she measures it or prepares it in a specific state. 
This is motivated as there is classical information involved in both cases. However, the agent loses 
this knowledge when she sends the qubit to another agent, as it is no longer in her possession, or 
entangles it with another qubit. Note that correction commands preserve knowledge because they 
are deterministic actions that neither entangle nor separate qubits. 

• pc £ li is a counter for the events in the event sequence executed by agent A,-. 



Example 1. Consider the specification of QTP in DMC as given in Section 2.4 The local state 



of Alice is described by the tuple I a = {si,S2,qi,q2,q3,pc), and similarly the local state of Bob is 
h = {xi,X2,qi,q2,q3,pc). In the initial state Alice owns the input qubits qi and q2 in the entangled pair, 
while Bob owns the qubit q^, and neither of them knows anything about their qubits. Alice has not yet 
measured any qubit nor has she sent anything to Bob. The program counters of both agents point to the 
first event in their event sequences. All this is captured in variable assignments (_L, _L, 1, 1,0, 1) for Alice 
and (_L,_L,0,0,1,1) for Bob. 



A local state 1e G Le of the Environment represents the quantum state a of the network. Ie is a tuple 
of vector variables {q,q' ,e,gc) defined as follows: 

• We divide the global quantum state at any given time into the smallest possible substates - individual 
qubits and/or systems of entangled qubits - such that these are in pure states, i.e., they can be 
represented as a vector in a Hilbert space. We generate the reachable quantum state space of the 
network using the small-step rules for patterns and enumerate all such encountered substates. Thus, 
every reachable substate has an associated name qs„, n G N. 

• For every qubit q G ^ we introduce a variable q £ Ie- The domain of q is the set of names of 
quantum states that q may attain in any run of the protocol, together with the value _L indicating 
that the qubit is not in a pure state but entangled with other qubits. 

• Similarly, for every system of entangled qubits we introduce a variable e G Ie- The domain of e is 
the set of names of quantum states that the system may attain, together with the value _L indicating 
that either the system is not in a pure state or its qubits are not entangled. 

• Each variable q and e is assigned a name if only if they are pure and cannot be further separated. 
Otherwise, they are assigned the value _L. The global state a is then the tensor product of these 
substates. 

• In addition, we make use of an auxiliary variable q' for each qubit q G ^ recording the name of its 
initial state, and introduce the global counter gc G Ie that increases with every action in the network. 
This is used to track the global time and to enumerate the configurations in'tf^ according to their 
occurrence in the path. 
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Action 


Qubit/Entangled System 




Name 


Initially 






1^1 




'nil 11^ 


1^2 


En 


ei23 


^[a,a,a, —a,b,b, —b,b]^ 


qSi 




91 


i[^/2,-^/2]^ 


ISA 
qss 


623 


5 [a + i>, a + fl — Z?, — a + Z?] 

2[a — b,a — b,a + b, —a — b]^ 


qs(, 
qs-i 




12 




qs4 
qss 


13 


[-b,a]^ 


IS I 
1SS 

qsg 

qsiQ 


yrX2 


13 




qs\ 



Table 1 : Enumeration of quantum substates in the evolution of QTP. 



Example 2. The global quantum state of QTP is represented in the local state of the Environment 
£■ as the tuple Zfi = {qi,q2, Is, I'l, 12^13,^23, ^123, gc)- The initial state of the input qubit^i is for 
a,b £ C We assume that it is not equal to states [1,0]^ and [0, 1]^ of the standard basis, nor to states 
^ [V2, \fT^ and ^ [\/2, — \/2]^ of the measurement basis. In these cases there are fewer states, but the 
procedure is analogous. Table [T] shows the enumeration of substates occurring in all possible runs of the 
network, as Alice and Bob execute quantum commands according to QTP. For instance, the initial state 
of the network is (^5i,_L,_L,<75i,_L,_L,^52,-L, 1). Note that only the input qubit ^1 and the system of two 
entangled qubit ^23 have assigned named states. This is because the individual qubits 172 and ^3 are not in 
a pure state and the system of all three qubit ^123 can be further separated. Indeed, the whole quantum 
state can be expressed as the tensor product [a , fe] ^ ^ [ 1 , 1 , 1 , — 1 ] ^ , or by using names qs \ ® qs2 ■ 



3.2 Transition Rules 

Events in the event sequence (o^- of agent A, are mapped into actions in Ac?,. Actions are executed according 
to a protocol function Pi and their effects are described by evolution functions f, and tE depending on 
whether the classical state of agent A, changes, or the quantum state a of the system changes, or both. 
Before introducing the mapping for events, note that DMC is a probabilistic calculus, whereas IS have a 
Boolean semantics. We deal with this issue by allowing all admissible transitions, abstracting away from 
the probability distribution. As a result, we lose the ability to reason about the probability of reaching a 
state. However, this is not an issue for us as we need to reason about non-probabilistic properties only as 
the choice of the language ^ demonstrates. 

Note also that the execution of a pattern ^ in DMC occurs in a single transition step and depends 
on the big-step semantics of the pattern (see Rule[T]l. However, we handle transitions at the level of 
individual commands of and so the execution depends on the small-step semantics of patterns and 
may span across several time steps. This leads to a finely grained state space. In the rest of this section we 
present the actions, the protocols, and the evolution functions associated with the classical and quantum 



communication and the quantum commands presented in Section 2. 1 

Classical rendez-vous. Assume that agent A,- sends the value of y to agent Aj who stores it in x, 
specified in DMC as r,-,A,- : Qi.cly and F^jAy : Qj.clx, and that this is the vth (resp. wth) event in 
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(resp. S'j). We translate this by considering the actions snd.j.yo and snd.j.yi in the set Acf,- of actions for 
agent /, and action rcvJjc in Act j. The protocol functions are: 

Pi{li) = {sndj^yo}, if pc = v Ay = 0, 
Pi{li) = {sndj.yi}, if pc = v Ay = 1, 
PjHj) = {rcvjjc}, if pc = w. 

The configuration transition, described by Rule[2| is translated into the following evolution functions for 
the agents / and j: 

ti{li,Acti,Actj) = pc pc + I, if {Actj = snd-jjyo VAcf,- = snd^jjyi) AActj = rcvJjc, 
tj{lj,Acti,Actj) ~ pc i-^ pc + I Ax i-^ 0, if Act i = snd-jjyo AActj — rcvJjc, 
tj{lj,Acti,Actj) — pc pc + I Ax i-> 1, if Acf,- = snd-j^yi AActj — rcvdjc. 

The rationale behind the above equations is that when agents perform paired send/receive actions at 
the same time step, their program counters are incremented, and variable x of agent Xj is assigned the 
transmitted value. 

Quantum communication. Assume that agent A,- sends a qubit q G Qj to agent Xj, described as 
r,-, A,- : Qi.(\c\q and Tj^Xj : Qj.qclq, and that this is the vth (resp. wth) event in (^i (resp. S'j). We introduce 
actions qsndjjq and qrcvJ.q in Acf; and Actj respectively. The protocol functions are: 

Pi{li) = {qsndj-q}, if pc — y, 
Pj{lj) = {qrcvJ_q}, if pc = w. 

Rule [3] defines the configuration transition in terms of sets of qubits Qj and Qj. When A, sends the qubit 
q, it is removed from her set, and when Aj receives q, it is added to her set. This is translated into IS by 
the evolution functions: 

ti(li,Acti,Actj) = pc i-^ pc + 1 A <7 I— > 0, if Acf; = qsnd-jjq AActj = qrcvj_q, 
t j(lj, Actj, Act j) — pc ^ pc +\ Aq^ I, if Acf; = qsndj^q AActj = qrcv_i_q. 



This means that when both agents concurrently execute the respective quantum communication events, 
their local program counters are incremented, and the ownership of the qubit changes, i.e.. A, is no longer 
in possession of q while A^ owns it but does not know its state. 

Corrections. The events and differ only in their matrix representations, so we describe them 
together. Assume that agent A, executes the Pauli operator X or the Pauli operator Z on a qubit q at step 
V of (§i if signal s =\, otherwise she skips the event. This scenario has the following DMC description: 
r,, A,- : q^^jRj.Uy, with U^j G {X^,Z^}. We introduce actions x_q andz_^ in Actj, and since the agent applies 
the event conditionally, we also include the action skip. In the rest of the description we refer to both 
actions x_q and Z-q as u_q. The protocol function is then given as: 

= {skip} if pc^vAs=^ 0; 

Pi{lj) = {u_q} if pc As ^ I. 

For example, we have the following ground protocol function for Bob in QTP: 



Pb{Ib) = {siiip), if pc^2> Axi = 0; 
Pb{Ib) = {z-q-i}^ if /?c = 3Axi = 1; 



PbQ-b) = {siiip), if /?c = 4 Ax2 = 0; 
Pb{Ib) = {x-q?,}, if pc^^Ax2^l. 
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The small-step semantics for corrections is defined as (7,r,- — ^ Ur ' C7,r,-. Assume that the qubit q is in 

system e, which again may be just q or some entangled system. The local state of the agent A,- changes 
only through the pc increment. We define the evolution functions as: 

tE{lE,Actj) ~gci~> gc + lAei-^ qsy, if e = qSj^ AAcf; = Ujq; 
ti{li,Acti) — pci—> pc~\-\, if Acf; = u^qy Acti — skip; 

where qSx (resp. qsy) is the name of the state before (resp. after) the execution. The ground evolution 
function of E in QTP with respect to Bob's corrections X^^Z^^ is given as the following equations 
corresponding to measurement outcomes xiX2 i-> 10, xiX2 01, and xiX2 i-> 11 respectively. Note that in 
the last case Bob executes both actions z-q^ and x_^3 sequentially, while in the first two cases he executes 
only one of them and skips the other. 

Acffl) = §c H- gc+ 1 A^3 i-> qsi, if ^3 = qs^ AAcIb — Z-^s; 
tEilEjActs) = gci-^ gc+l Aqsi-^ qsi,iiq3 = qsgAActg =x_^3; 
tE{lE,ActB) =gc^ gc+lAq'i^ qsg, if qj = qsio AActs = Z-q3- 

Entanglement. Assume that agent A, applies at step v of S'j the entanglement operator E^r on qubits q 
and r. The DMC definition of the agent in this case is r;,A; : q,r^ Rj.Ey,- Since this event is independent 
of signals, we add only one corresponding action entjj-r to Acti and define the following protocol function: 

Pi{li) = {ent.q.r}, if pc = v. The small-step rule for entanglement is given as (7,r, '^ZqrO^Ti, where 
^Z^r is the controUed-Z operator realising the entanglement. Since we divide the global state o into its 
smallest pure substates, we have two possible situations. In the first case q&e' and r G e" , where e' and 
e" are isolated qubits, distinct entangled systems, or combination of both. The resulting entangled system 
e is the union of the two systems e' and e" , and we define the evolution function of the Environment E as: 

tE{lE,Acti) = gci-^ gc+ lAei-^ qs^ A e' -LA e" -L, if e' = qCxAe" = qCyAActi = entjqjr; 

where qSx, qSy, and qs^ are the names of the quantum states in which the systems e', e" are during the 
execution of the event, and e after the execution. For instance, the ground evolution function in QTP for 
Ahce's entanglement £12 is: 

?£(/£, AcJa) = gc^ gc-\-lAem^ qs^Aqi^ LAe2^^ 

if ^1 = gci Ae23 = AActA = entjqijq2- 

Note that there may be many possible combinations of various states for e' and e" , and we have to define 
the evolution function for all of them. In the second case the qubits q and r are part of the same system e 
and we simply have the evolution function: 

tE{lE,Acti) =gci-^ gc +lAei-^ qSy, if e — qSx A Acti — ent-q^r, 

where qsx (resp. qsy) is the name of the state before (resp. after) the execution. In both cases the local 
state of agent A, is updated as follows: 

ti{li,Acti) = pc^ pc+ \ Aq^ lAri-> l,if Acti — entjqj: 

This equation states that the counter of A; is incremented and the agent loses any knowledge about the 
state of q and r she might have had, since neither qubit is in a pure state anymore. 

Measurement. This is a complex event modifying the quantum state of the network as well as the 
local states of agents. Suppose that agent A; in step v of Si measures her qubit ^ in the {|+a) , |— «)} basis, 
specified in DMC as r,-,A,- : q\SRi}[M^]\ where s and t are signals. A measurement is a stochastic event 
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00 


Actions 


m_q_+a, m_q_-a 


Protocol 


PiiUig)) = {m_q_+a,m_q_-a}, if pc^v 




Actions 


m.qjo.+a, m.qjo--a, m.qji.+a, m^q^i.-a 


Protocol 


Pi{li{g)) = {m_q_so-+a:m-q^H)--a}, if pc = v As = 
Piihig)) = {m_q_si_+a,m_qjii_-a}, if pc = v As = I 


0f 


Actions 


m_qJo_+a, m_qjQ_-a, m_qJ\_+a, m_qJ\_-a 


Protocol 


Pi{h{g)) = {muqJi).+a,muqjQ.-a), if pc = vAf = 
Pi{k{g)) = {m_qJi_+a,m.qJi.-a}, if pc = v At = I 


St 


Actions 


f7i_qjO^O-+a, m_qjoJo_-a, mj]JoJl-+a, 'W-?JO-fl 
m.qjlJo.+a, m_^Ji_fo--a, «^-?Jl-fl-+ce, m.q.s\Ji--a 


Protocol 


Pi{h{g)) = {mjq_SQjQ_+a,m_q_saJo--~a}, if = v A s = A f = 
Pii^iig)) = {mjqjiQJi.+a,m_q_saJ\--a}, if pc ^ v As ^ Q At = \ 
Pi{h{g)) = {m_q_s\jQ_+a,m-qs\Ja--a}, if pc As = I At = Q 
Pi{h{g)) = Ji_+a,m_^Ji_fi_-a}, if ;?c v A = 1 A f = 1 



Table 2: Actions and protocol rules for various degree of dependency of measurements. 

and may also depend on signals s and t. We express this non-determinism by associating two actions to a 
given local state U of agent /. However, due to a possible dependency on signals s and t, there are four 
different sets of actions and protocol rules. We list them in Table[2j where means that the measurement 
does not depend on a particular signal. 

The following two transitions are defined in the small-step semantics for the measurement event: 

C7,r,- >x (+ar I ^t^A^/^] ^^d o,Ti — — >x (— ar I This is the source of non-determinism 

I q I q 

in the transition system, but we do not consider the probability A as long as it is non-zero. 

There are again four types of evolution functions. They differ in the computation of quantum states, 
and since we give only the general rules, here we describe the evolution functions only for the independent 
measurement, i.e., when s = t = <l). As far as the translation rules are concerned, the other three types 
differ only in the names of the actions and the actual names of quantum states. We can translate them 
analogously. 

We now consider two cases where both measurement outcome are possible. First, for the measurement 
of an isolated qubit q we define the evolution function of the Environment E as follows: 

tE{lE,Acti) =gc^gc+lAq^ qs+a^ ifq^ qc^AActi = m^q.+a, 
tE{lE,Acti) =gci-^gc+lAqt-^ if <? = qc^AActi = m_q_—a\ 

where qs^^ and qs-^ are names of the {]+«) , |— «)} measurement basis. If the qubit q is part of an 
entangled system e, then the system becomes separated on measurement. The measured qubit q collapses 
and the rest of qubits form a new system e' . We define the evolution function as follows: 

tE {lE,Acti) =gci-^gc+lAqt-^ qs+a A e i-> -L A e' i-> qSy, if e = qc^ A Act, = m^-+a, 
tE{lE,Acti) =gci-^gc+lAqi-^ q^-a A e i-> -L A e' i-> qs,, if e = qc^AActj = m_q_—a ■ 

In both cases the measurement outcome is assigned to a signal variable s' of agent A; and her evolution 
function is given by: 

ti{lj,Acti) = pci-^ pc+l As' i-^OAqi-^2, if Acti = m^q^+a, 
ti{li,Acti) ^ pc^ pc+ \ As ^ \ Aq^2,if Acti = m_q_ . 

For instance, consider the first measurement that Alice performs in QTP. All three qubits are entangled 
together and therefore measuring the input qubit qi causes separation of the system ^123 into two parts. 
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qi and e2z, and has two possible outcomes. Both have probabiUty A = 0.5, but we do not take this into 
account since all we require is that they are non-zero, therefore the respective transitions are admissible. 
We have the following ground evolution functions for the Environment and Alice: 

tEihActA) =gc^ gc+\hqi^ qsA^ei2-i i-^ -LAe23 ^ qse, if ^123 = qc?, AAcf^ =m_qi_+a; 
tEihActA) =gc 1-^ gc+ 1 A^i i-^ ^55 Aei23 ^^ -L Ae23 qsi, if ei23 = qc3 AActA = m.qi.-a; 
tA{lA,ActA) = pci-^ pc + I Asi i-^ Aqi i-^ 2, if ActA = m_qi_+a', 
tA{lA,ActA) = pc pc + I Asi i-^ I Aqi i-^ 2, if ActA = ni_q\_—a ■ 

In the case that the measured qubit is in a state that coincides with one of the states of the measurement 
basis, there is only one possible outcome and we need to prevent reaching an impossible state. The 
translation of the transition function in case that a measurement outcome has zero probability requires 
modification of the evolution functions. We only show the case when measuring |— «) is impossible. The 
evolution function of the Environment is given as: 

tE{lE,Acti) = gc^ gc+ \ Aq^ qs+^, ifq^ qc+^ A (Acf; = m_q_+a VActj = m_q_-a)- 

The Environment "signals" that the measurement of ^ in a quantum state qsx has only one possible 
outcome. We introduce action envx in ActE and define the following protocol function: Pe{1e) = {^'^Vr}, 
if ^ = qSx- The evolution function of agent / is then defined as: 

ti(li,Acti,ActE) — pci-^ pc + I A s' i-^ A q 1-^ 2, if Acti = m_q_+a V(Acr,- = m^q^—a AAcIe — enVx), 
ti{li,Acti,ActE) = pc 1-^ pc + I As' 1-^ I Aq 1-^ 2, if Acti = ni_q_—a AAcIe ^ enVx- 



3.3 Correctness Proof 

We now show that the translation / defined in the previous section is sound, that is, / preserves the 



truth conditions of formulae defined in the language ^ introduced in Section 2.2 from the set of atomic 
propositions AP = {x = y,qi = qj}- In [7 | the truth conditions for the atoms in AP in a configuration C of 
a network ^ are given as follows: 

(C, ^) \=x = y iff there are agents /, j such that F,- (x) = F, (y) ; 
(C, ^) 1= qi = qj iff the global quantum state a is such that a = qi = qj. 

Intuitively, x = y holds iff the bits denoted by x and y are equal. Also, = qj holds iff the qubits 
denoted by qt and qj are equal. We can prove the following result on the translation / and the language 

Theorem 1. For every formula G 

(C,^)|=0 iff (/(^), /(C)) 1=0 

Proof. The proof is by induction on the length of <p . For reasons of space, we only provide a sketch 
of the proof. If (p is an atomic formula, then <p is of the form a = b, where o and b are both either 



bits or qubits. By the definition of /(C) in Section 3.1 we can easily check that (C, ^) |= o = b iff 
(/(^),/(C)) 1= = b. Thus, the base case holds. The inductive case for propositional connectives 
and V is straightforward. 

If (/> = EXy, then by the translation of events in the event sequence <§' into actions in Act defined 



in Section 3.2 we can see that two configurations C,C' £ ,JV are in the temporal relation induced by 
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S , or C — )■ C , iff their translations f{C),f{C') G /(^/K) are in the temporal relation induced by Act, or 

/(C) ^'^''^\ f{C'). The result then follows by the induction hypothesis. The inductive case for the other 
temporal operators is similar. 

If = Ki\if, then by the definition of the local state /, of an agent / in Section 3.1 we have that 
li{f{C)) = l'i{f{C)) iff r,- = r; and = that is, C C iff /(C) f{C). Also in this case the 

result follows by the induction hypothesis. This completes the sketch. □ 

Theorem [T] allows us to check whether a specification G ^ is satisfied in a network by verifying 
in the corresponding interpreted system f{^). 



4 Implementation and Evaluation 

In this section we present an implementation of the formal map above. DMC2lSPLQis a source-to-source 
compiler, written in C-i~i- and using GNU Octave libraries for matrix operations. DMC2lSPL translates a 
protocol specified in a machine-readable DMC input format into an ISPL program. The code generated is 
then run by MCMAS, which in turn reports on the specification requirements of the protocol. 

We modified DMC, so it can be read by the compiler. The adaptation closely follows the syntax of 
the original DMC, but also reflects some features of ISPL. A DMC file consists of five modules: a set of 
agents, a set of qubits, whose initial state is explicitly declared, a set of groups of agents that are used 
in formulae involving group modalities, a set formulae to be verified, and a set of macros that allow 
agents to perform complex quantum operations in a single time step. The declaration of an agent consists 



of a set of input qubits, a set of a priori known qubits, a set of classical inputs, and a set of events the 
agent executes. For illustration, the DMC code snippet for QTP can be found in Listing[T] 



1 


— AGENTS 








2 


Alice: {1,2}, 








3 


{}, 








4 


{}, 








5 

6 


{ c ! ( Bob , 


s2) , c !(Bob, si ) , Me(2,0,-, 


-,s2) , Me(l,0,-,- 


-,sl) , En(l , 2)}; 


7 


Bob: {3}, 








8 


{}, 








9 


{}, 








10 


{cX(3, x2) 


, cZ(3, xl) , c?(Alice , x2) , 


c?( Alice , xl) }; 




11 










12 


— QUBITS 








13 


1: ?; 








14 


2, 3: {(0.5, 0) 


, (0.5 , 0) , (0.5 , 0) , (-0.5 


0)}; 




15 










16 


— FORMULAE 








17 


AF {3 = init (1) 


}; 






18 


!EF K (Alice , { 


3}) and !EF K (Bob, {3}) ; 






19 


AF K(Bob, {3 = 


init (1)}); 






20 


!EF K( Alice , {3 


= init(l)}); 







Listing 1: QTP.dmc 



DMC2lSPL has the architecture of a standard compiler. It consists of the three following components: 
a module for parsing and vahdating the DMC input file, a module for generating the reachable quantum 



The source code is available from http://www.doc . ic . ac.uk/~pg809/dmc2ispl . tar .gz 
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Figure 1 : The epistemic accessibility relations of Alice and Bob in the QTP network. 

state space, and a module for generating the ISPL output file. Essentially, since MCMAS does not 
support matrix arithmetic, the compiler is responsible for computation of the reachable quantum state 
space, enumeration of encountered quantum states, and generation of the evolution function of the global 
quantum system. Quantum states of a «-qubit system are represented as 2" x 1 complex matrices and 
unitary operators and measurement projections as 2" x 2" sparse complex matrices. After the elimination 
of the global phase, whenever two identical state matrices are encountered during the evolution of the 
quantum state of the ?i-qubit system, they have assigned the same name. MCMAS then works with these 
enumerations. 

We used the compiler to verify QTP, as well as the Quantum Key Distribution (QKD) |[T2]| . and the 
Superdense Coding (SDC) [4| protocol against the properties from the reference papers EllTOl. Table [3] 
summarises these properties. We discuss QTP in more detail. 

The figure [T] gives a graphical representation of the possible configurations in the QTP network. Note 
that configurations are parametrised by measurement outcomes and the quantum input 1 1//) . The first 
formula in QTP section of Table |3] states that the .yVjp network is correct, since the state of Bob's qubit 
^3 will eventually be equal to the initial state of Alice's qubit q^. The second formula states that neither 
agent knows the actual quantum state of the qubit q^, at any point of the computation. The third formula 
states that Bob eventually knows that the state of his qubit qi, is equal to the initial state of qubit q\. The 
last formula states that Alice never knows this fact. 

Interestingly, while ifTOll states that all four formulae are true in the model, MCMAS evaluated the 
last formula to false. The reason is that even though Alice cannot distinguish configuration C^^{\'yif)) 
from Cf^{\\if)), the atom 173 = init{qi) holds in both configurations as Bob does not apply any correction 
for measurement outcomes S1S2 1— )■ 00, and so the quantum state of the system is invariant along this 
path. This shows the importance of an automated algorithmic approach to verification as opposed to a 
hand-made inspection. 

We conclude with some performance considerations. The tests were carried out on a 32-bit Fedora 
12 Linux machine with a 2.26GHz Intel Core2 Duo processor and 2.9GiB RAM as follows: first, we 
translated the DMC specification into the corresponding ISPL code using the compiler, then we analysed 
the resulting code using MCMAS. Table |4] reports the results for the three protocols. It can be seen that 
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Protocol 


Formula 


Reading 


QTP 


AF{qi, = init{q\)) 


^3 eventually equals to initial qi 


^EFKa (<73 = I r) ) a ^EFKb (<?3 = \W)) 


neither A nor B ever knows state of q^ 


AFKs{q3 ~ init{qi)) 


B eventually knows qi was teleported 


-^EFK/^{q3 — init{q\)) 


A never knows qi was teleported 


QKD 


aA^aB^AF{Kp,{si ^s2)AK^{si ^ S2)) 


success if A & B used the same basis 


UA^aB-^ -^EF{Ka{si ^s2)\/Kb{si = ^2)) 


failure if A & B used different bases 


SDC 


AF{si ^yiAs2 =y2) 


B eventually receives the inputs of A 


AFKb{si ^yi AS2 =^2) 


B eventually knows the inputs 


-^EFKAKsisi =yiAs2= ^2) 


A never knows the fact above 



Table 3: Verified properties of QKD and SDC protocols. 



Protocol 


Reachable States 


Memory (kB) 


Time (s) 


DMC2lSPL 


MCMAS 


DMC2lSPL 


MCMAS 


DMC2lSPL 


MCMAS 


QTP 


40 


108 


7184 


6068 


0.015 


0.066 


QKD 


53 


348 


7240 


6119 


0.016 


0.014 


SDC 


4239 


2192 


8132 


6279 


0.112 


0.407 



Table 4: Verification results for QTP, QKD and SDC protocols. 



all protocols were verified very quickly. This is due to their small state space and the limited number of 
entangled qubits involved. 

However, the amount of required resources grows exponentially for a constant increase in the number 
of entangled qubits. Additionally, measuring a quantum system using many different measurement angles 
results in many unique quantum states, which in turn requires a large number of enumeration values and 
an extensive evolution function. This affects the verification of a quantum protocol by MCMAS. We 
analysed several experimental protocols to test the limits of the tool. The results showed that protocols 
with up to 10' reachable classical states and 20 entangled qubits can be realistically verified. 



5 Conclusion 

In this paper we presented a methodology for the automated verification of quantum distributed systems 
via model checking. We defined a translation from DMC to IS, so that MCMAS can be used to verify 
protocols specified in DMC. Even though the translation does not take into account stochastic properties 
of quantum protocols, in the sense that we abstract away from the underlying probability distribution, 
many useful non-probabilistic properties can still be verified as shown in reference papers ||7][T0l. We 
implemented the methodology in a source-to-source compiler and adapted the DMC formalism to be 
used as an input language for the compiler. Several quantum protocols were translated and their temporal 
epistemic properties were successfully checked with MCMAS. 

Given the universality of the underlying Measurement Calculus lUl, the expressive power of DMC in 
terms of available quantum operations is complete. However, DMC does not support any control flow 
statement for the classical part of protocols. This is one of the two major limitations of the technique, 
although it can be solved by a suitable extension of the language. Another limitation results from the state 
space explosion and cannot be easily overcome since the quantum simulator requires exponential time 
and space on a classical computer. 
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